As 2024 came to a close, New York Gov. Hochul signed two bills (A8872A and S2376B) amending New York’s data breach law. The modifications change both what constitutes personal information under the law, as well as modifying notification timing. The notice modification is now in effect; the change to the definition of personal information does not take effect until March 21, 2025.

As amended, companies will now have 30 days from discovery of a breach to notify impacted individuals. Previously, the law required notice to individuals “in the most expedient time possible and without reasonable delay.” The regulator to notify has also changed. Previously, businesses needed to provide notice to the NY Attorney General, the Department of State, and the Division of State Police. A fourth group has been added. Now notice must also be sent to the New York Department of Financial Services. Notification to each agency can be done via form on the New York AG website.

The law’s definition of personal information has been expanded to include both medical information and health insurance information. New York joins a growing list of states to include these elements in their breach laws. 

Putting it into Practice: For those who keep a running list of notification timing, they will need to add this New York change to their list. New York also adds a regulatory authority to its notification list. Keep in mind the expended definition of personal information for assessing breaches this year.